strong security for large voip networks - kamailio security for large voip networks cluecon 2011,...
TRANSCRIPT
Strong Securityfor Large VoIP Networks
ClueCon 2011, Chicago
Daniel-Constantin MierlaCo-Founder Kamailio SIP Server
http://www.asipto.com
A bit of history - 10 years SER
2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008
SIP Express Router (SER)
OpenSER Kamailio
Other Forks...
Same application: Kamailio - SER
Oct 2009 Jan 2010
v3.0.0
IntegrationCompleted
v1.5.0
Autumn 2011
v3.1.0
© 2011 asipto.com
Sep 2001
FirstLineOf
Code
OpenSource
GPL
FhGFokus
Institute
Berlin
rename
v3.2.0
Oct 2010
AwardedBest Open
SourceNetworking
Software2009
By InfoWorld
© 2011 asipto.com
I am doing a usage survey (voluntary - confidential - anonymous)- minutes or calls per month, active subscribers...- so far about 15 reports, resulting in over 3 000 000 000 minutes/month
http://www.kamailio.orghttp://sip-router.org
3.x Releases: One application, Two names
© 2011 asipto.com
Constrained mainly by database schema• during 2005 - 2008, SER and Kamailio developed different database structure to store user profiles and routing data• strong dependency on administration and auto-provisioning systems
Example
• subscriber: username, password, DID, ACL, a.s.o.• Kamailio - table with many columns (one attribute in a dedicated column)• SER: table with many rows of (attribute name, attribute value)
Many duplicated modules were merged meanwhile
New in 3.1.0
• Embedded Lua• Embedded
Python• Extended
preprocessor directive
• #!define• #!subst
• New variables
• Interactive config debugger
• step-by-step execution
• execution trace
• xlog enhan’s• print cfg line
• k&s modules integration
• Asynchronous TLS
• UDP raw sockets• Multi-homed
improvements• Load balancing
• weight• call load
• Traffic shaping
• GeoIP API• Registration to
remote servers• Reason header
for Cancel• Embedded
HTTP & XCAP servers
• Cfg tree cashing & message queue systems
MaintenanceFlexibility Performance Features
© 2011 asipto.com
http://www.kamailio.org/w/kamailio-openser-v3.1.0-release-notes/
State of the project
Internal architecture refactored for v3.0.0− support asynchronous processing
TCP and TLS SIP request handling
− transaction management− internal libraries
© 2011 asipto.com
Right now• very stable core and main components➡ toped with our well known scalability and flexibility• safe framework for future development➡ your work (extensions and deployments) is safe from now on for many years - there is no need to change the architecture again• focus is on new features➡ 3.2.0 (and the next slides) shows that
Scalability (info from public domain)• services with millions of active subscribers➡ 1&1 Germany (> 3M)• services routing billions of call minutes per month➡ might be the guy next to you (or pay attention tomorrow)
New in 3.2.0
Distributed MessageQueue
Using SIP and Peer-to-Peer
Many native extensionsto Lua
cfg routing logic all in Lua
SQLiteconnector
use file baseddatabase forembeddedsystems
Partitioned user locationservice
many nodes sharing locationdata
Redis No-SQL
connector from config
© 2011 asipto.com
New in 3.2.0 - presence server
RLSOMA specs
split NOTIFY bodiesXPath support within doc
Reg-Info Implementation
RFC3860pub-sub service for
location data
EmbeddedXCAPserver
OMA - specsIf-Match cond
Presence Server
data distribution acrossmany instances through
database
Presence User Agent
updates for latestRL services
© 2011 asipto.com
New in 3.2.0
ipops module
a set of operations for handling IPv4/IPv6 addresses
async module
run asynchronously partsof config file
(route blocks)
sdpops module
SDP bodymanagement
New features in old parts
acc - write full CDR at oncedialog - attach extra attributes
core - more pre-processor directivespv - new variables and transformations
tmx - export of async TM functionssqlops - support for xavps
uac - enhancements to remote registrationsiptrace - traffic replication enhancements
.....
IMS Extensionsabout 10 new modules
(P-CSCF, I-CSCF, S-CSCF...)
© 2011 asipto.com
SIP:Provider CE
© 2011 asipto.com
SIP:Provider - http://www.sipwise.com/products/spce/* complete VoIP servicing platform using Kamailio for SIP routing* administration interface and user portal* ready to roll-out open source Community Edition* easy to install with DEB packages - images for VMWare and VirtualBox
SIP:Provider CE
© 2011 asipto.com
Elsipo - this SIP browser
© 2011 asipto.com
https://github.com/miconda/elsipo
Homer Project
© 2011 asipto.com
Siremis 2.0
© 2011 asipto.com
http://siremis.asipto.com/
Security For Large VoIP Networks
© 2011 asipto.com
TLS - Encryption of communication
• now as simple as loading a module - tls• no more headaches like in 1.x - no need to recompile everything• very scalable• asynchronous TLS sending• can be configured via module parameter or dedicated config file
© 2011 asipto.com
TLS - via Config File
© 2011 asipto.com
Config by .ini-like file dedicated file which can contain tls attributes can include config for more than one server can include config specific for clients
TLS - Scalability
• a research project about Green VoIP• by Columbia University, NY• using complete config file, with user
authentication and NAT traversal• injected traffic captured from an
European ITSP
© 2011 asipto.com
http://www.kamailio.org/w/2011/05/green-voip-energy-efficiency-and-performaces-of-v3-0/
TLS - Stress tests• private company lab environment
• Kamailio 3.1.x with 8 children and 2 GB memory• traffic stress
• 6000 SIP messages/second for 2 weeks• socket stress
• created over 4000 connections• released the connections immediately• at the same time created more connections
© 2011 asipto.com
Topology hiding
© 2011 asipto.com
TOPOH module
secret key to encode/decode encoded fields are SIP grammar valid encoding IP and prefixes can be set via parameters survive restarts no functions to be called in config file
everything is done automatically hooks in core after receiving and before sending just load the module and adjust parameters
penalty on 2000 call setups / second is not noticeable
use it with a media relay to hide the source of media traffic
Topology hiding
© 2011 asipto.com
...loadmodule "topoh.so"...# ----- topoh params -----modparam("topoh", "mask_key", "my secret here")modparam("topoh", "mask_ip", "10.1.1.10")...
Topology hiding - INVITE in
© 2011 asipto.com
U 2011/02/18 20:09:05.622472 192.168.178.27:40416 -> 192.168.178.26:5060INVITE sip:[email protected] SIP/2.0.Via: SIP/2.0/UDP 192.168.178.27:40416;branch=z9hG4bK321149767.From: "105" <sip:[email protected]>;tag=166646806.To: <sip:[email protected]>.Call-ID: [email protected]: 50 INVITE.Contact: "105" <sip:[email protected]:40416>.Max-Forwards: 70.User-Agent: Grandstream GXV3140 1.0.7.3.Privacy: none.P-Preferred-Identity: "105" <sip:[email protected]>.Supported: replaces, path, timer.Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE.Content-Type: application/sdp.Accept: application/sdp, application/dtmf-relay.Content-Length: 483..
Topology hiding - INVITE out
© 2011 asipto.com
U 2011/02/18 20:09:05.628883 192.168.178.26:5060 -> 192.168.178.22:1056INVITE sip:[email protected]:1056;line=mu3z2i1j SIP/2.0.Record-Route: <sip:192.168.178.26;lr=on>.Via: SIP/2.0/UDP 192.168.178.26;branch=z9hG4bK8d21.062561f6.0.Via: SIP/2.0/UDP 10.1.1.10;branch=z9hG4bKsr-JfymiMenCtp4urS5CX1ZiHvRItc.TM5nCHOBT6SfCXN94v5pswyRIRDZN80HU6gBI8LqTwDiCMe.CXm0TMNP.From: "105" <sip:[email protected]>;tag=166646806.To: <sip:[email protected]>.Call-ID: [email protected]: 50 INVITE.Contact: "105" <sip:10.1.1.10;line=sr-ORylIHvlTJS.IXenCXNciHvPItcZTMWfC6m.T5**>.Max-Forwards: 69.User-Agent: Grandstream GXV3140 1.0.7.3.Privacy: none.P-Preferred-Identity: "105" <sip:[email protected]>.Supported: replaces, path, timer.Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE.Content-Type: application/sdp.Accept: application/sdp, application/dtmf-relay.Content-Length: 483..
DoS and DDoS attacks
© 2011 asipto.com
DoS and DDoS attacks
© 2011 asipto.com
- in a day by day service monitoring ...
Useful modules
© 2011 asipto.com
HTABLE module generic cache system
track failed authentication forbid new attempts if a threshold is reached in a certain period of
time send alerts to admin, etc.
example with registrations prevent discovery of user passwords detect mistyped passwords
Useful modules
© 2011 asipto.com
RATELIMIT module definition of generic pipes and queues
types of SIP requests associated with queues queues associated with pipes
similar to BSD ipfw various algorithms to drop traffic
does not take in consideration source IP address can be used for DDoS alerts as well
no internal actions for blocking reports when there is an higher traffic than the limit on pipe
is the administrator decision in the config file drop silently send stateless reply
Useful modules
© 2011 asipto.com
new PIPELIMIT module - since 3.1.0 like RATELIMIT, but ...
pipe definitions in database dynamic names for pipes no-limit for number of pipes re-load at runtime no embedded queues definition, config language gives better tools to
define them with conditions
more modules to look at: pike dialog sqlops memcached, ndb_redis ...
Scanning - Brute Force Attacks
© 2011 asipto.com
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
• block user for 15 minutes if it fails to authenticate 3 times in a row
Scanning - Brute Force Attacks
© 2011 asipto.com
Flooding - block SIP attacks in config
© 2011 asipto.com
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
• block traffic from specific IP address for 5 minutes if it exceeded a threshold
Fail2ban - blocking in the firewall
© 2011 asipto.com
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
• firewall traffic from specific IP address if it send traffic that fails to authenticate 3 times in a row
Fail2ban - blocking in the firewall
© 2011 asipto.com
<<< message in syslog
OpenIMSCore
Daniel-Constantin MierlaCo-Founder Kamailio
http://www.asipto.com
Thank you!Questions?
Twitter: @miconda